New Mexico Administrative Code
Title 1 - GENERAL GOVERNMENT ADMINISTRATION
Chapter 12 - INFORMATION TECHNOLOGY
Part 20 - INFORMATION SECURITY OPERATION MANAGEMENT
Section 1.12.20.17 - DEDICATED NETWORK CONNECTIONS
Current through Register Vol. 35, No. 18, September 24, 2024
A. The internet is inherently insecure, access to the internet is prohibited from any device that is connected (wired or wireless) to any part of the state network unless such access is authorized via exception signed by the state CIO. Such access includes accounts with third-party internet service providers.
B. Any dedicated network connection from the agency network to any external network (either within or outside state government) shall be first approved in writing by the DoIT.
C. Dedicated network connections shall be allowed after the requesting agency has presented its proposed network architecture for approval by the DoIT; DoIT will approve if the proposal has acceptable security controls and procedures in place, and appropriate security measures have been implemented by the agency to protect state network resources. The agency shall perform a risk analysis of the connection to ensure that the connection to the external network shall not compromise the agency's private network. The agency may require that additional controls, such as the establishment of firewalls and a DMZ (demilitarized zone) be implemented between the third-party connection and the agency.
D. The dedicated connection to the agency network shall be accomplished by the agency in a secure manner to preserve the integrity of the agency network, preserve the integrity of the data transmitted over that network, and the availability of the network to the agency. Security requirements for each connection shall be assessed individually and permission to use such connection shall be driven by the specific business needs of the agency. Only agency CIO-approved and qualified staff or agency CIO-approved and qualified third-party shall be permitted to use sniffers or similar technology on the network to monitor operational data and security events.
E. The agency ISO or designee shall every six (6) months review external network connections, audit trails and system logs for abuses and anomalies.
F. Any agency-approved third-party network or workstation connection to an agency network shall: